If you use Microsoft Windows Remote Desktop (RDP) to connect to a BU computer from outside of BU, you will need to connect to the VPN prior to connecting via RDP – login at http://vpn.bu.edu.

If you have set up your system to allow remote access, or if you run a server, see the additional instructions below.

Details

The Problem:

On Tuesday, March 13, Microsoft announced that a critical vulnerability had been discovered in all versions of Windows from XP and up. This vulnerability affects the Remote Desktop (RDP) feature of Windows. RDP allows a remote user to connect to the computer and the vulnerability may allow even an unauthorized person to do so.

The Impact:

An exploit has already been released that will cause a Blue Screen of Death on Windows 7 and a Denial of Service on Windows XP. It is expected that another exploit will soon be released that will allow an attacker to have complete control of the computer. After that, the next expected step is that a self-replicating worm will be released that will automatically jump from host to host, granting the attacker access to the system and taking any other action the attacker may wish.

The Solution:

Microsoft has released a patch for this vulnerability. See below for details on installing it.

What IS&T and the IT Partners are doing:

IS&T and the IT Partners have been working to install this patch on the servers at BU.

Due to the serious nature of this vulnerability, IS&T will be blocking RDP access at the BU firewall within the next few days. This block is necessary because it is common for people to disable the automatic update functionality. It can reasonably be expected that many systems will remain unpatched for an extended period of time. If we take no action to block access to RDP through the firewall, exploit code could significantly impact the stable operation of computers at BU or otherwise compromise BU operations or protected information. (For reference, as of Monday (3/19) there were over 3000 computers at BU that had RDP up and operating.)

Related Instructions

If you never use RDP…:

If you do not need to use RDP, you can disable it. Instructions are provided below.